Insider Credit Card Breach Leads to $400,000 Saks Shopping Spree

Six Saks Fifth Avenue employees were recently arrested in New York for using credit cards stolen from at least 22 Saks customers to purchase $400,000 in merchandise, including hundreds of pairs of designer shoes and handbags.

Tamara Williams, 36, allegedly stole the customers’ credit card data from store computers, then shared the information with five sales associates and provided them with specific lists of what they should buy from the store using the stolen credit card data.

A separate group of “fake shoppers” then allegedly took the bags of fraudulently purchased merchandise and delivered them to Williams at designated meeting places in Queens, N.Y. Some of the items were then returned to Saks, with refunds allegedly delivered to accounts in the suspects’ control.

According to ABC News, the operation continued for four months until the process was caught on store surveillance cameras. Police then raided Williams’ apartment on September 5, 2014, where they found more than 100 boxes of shoes, along with boxes of handbags and other merchandise.

Williams and the five co-conspirators (Kris Rockson, 45, Jason Chance, 25, Michael Knight-Williams, 44, Michael Bright-Asante, 39, and Alaia Harrison, 20) have been charged with grand larceny and identity theft.

Paul Trulove, vice president of product marketing at SailPoint, said by email that this is unfortunately just one of many recent examples of high-impact insider breaches. “Not only is this type of theft still taking place, it has significant impact to the organization’s bottom line, from stolen money to lost customer trust — especially given the employees used customers’ [identities] to purchase goods for their own gain,” he says. “Bottom line: the insider threat remains very real across all types of organizations.”

Simply educating employees on data policies isn’t enough, Trulove added. “Companies must institute preventive and detective controls to help safeguard data to keep their organization and their customers safe,” he said.

In another recent example, Texas’ Memorial Hermann Health System is notifying 10,604 patients that their names, addresses, medical record numbers, birthdates, health insurance information and (in some cases) Social Security numbers may have been inappropriately accessed by a former clinical employee between December 2007 and July 2014.

The breach was discovered on July 7, 2014, but notification letters weren’t mailed to affected patients until August 29, 2014.

“We value patient privacy and deeply regret any inconvenience this may have caused our patients,” Memorial Hermann said in a statement. “Although privacy training is in place for all employees, Memorial Hermann continues to investigate and to review its privacy policies and practices in an effort to prevent something like this from happening in the future.”

Similarly, Altamed Health Services recently began notifying 2,995 people that a former temporary employee may have accessed a combination of one or more of the following: name, email address, phone number, Social Security number, provider information, insurance information, birthdate and/or mailing address.

Altamed says it was notified by law enforcement on June 30, 2014, that the former employee had been found in possession of a hard drive that “may include the organization’s records, and that it believes this information may have been misused by participants in [an] identity theft ring currently under investigation.”

“The safety and privacy [of] protected health information is our utmost priority and we deeply regret this has happened,” Altamed privacy officer Shauntara Jones wrote in the notification letter [PDF], which was mailed to those affected on August 29, 2014.

A recent Courion survey found that 42 percent of senior IT security managers don’t have, or are unsure of, the ability to monitor and prevent breaches caused by accidental or deliberate staff actions — and a recent SpectorSoft survey found that 61 percent of IT professionals don’t feel adequately prepared to respond to insider threats.

“These statistics paint a bleak picture when it comes to securing company data against insider breaches,” SpectorSoft chief marketing officer Rob Williams said at the time. “With so many data breaches happening, C-level executives are coming to the realization that their jobs could be on the line if company data isn’t protected.”

A recent eSecurity Planet article offered several recommendations on how to defend against insider threats.

Photo courtesy of Shutterstock.

Jeff Goldman
Jeff Goldman
Jeff Goldman has been a technology journalist for more than 20 years and an eSecurity Planet contributor since 2009.

Latest articles

Top Cybersecurity Companies

Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.
Get the Free Newsletter!
Subscribe to Cybersecurity Insider for top news, trends & analysis
This email address is invalid.

Related articles